自学-Shiro的MD5加密及更加严格的盐值加密-08

上一节我们看到了是通过credentialsMatcher 属性来进行的密码的比对的，那我们

怎么才能把客户输入的密码进行MD5加密呢？

首先我们先来看下credentialsMatcher的继承类都有哪些？

所以我们可以通过org.apache.shiro.authc.credential.HashedCredentialsMatcher 来进行MD5加密，但是我们该怎么进行处理呢？

我们刚开始可能是一头雾水，其实我们可以看shiro源码包中给的例子进行来学习：

代码如下：

<!-- Used by the SecurityManager to access security data (users, roles, etc).         Many other realm implementations can be used too (PropertiesRealm,         LdapRealm, etc. -->    <bean id="jdbcRealm" class="org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm">        <property name="name" value="jdbcRealm"/>        <property name="dataSource" ref="dataSource"/>        <property name="credentialsMatcher">            <!-- The 'bootstrapDataPopulator' Sha256 hashes the password                 (using the username as the salt) then base64 encodes it: -->            <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">                <property name="hashAlgorithmName" value="SHA-256"/>                <!-- true means hex encoded, false means base64 encoded -->                <property name="storedCredentialsHexEncoded" value="false"/>            </bean>        </property>    </bean>

这个配置的是SHA-256的加密方式，那么MD5的加密方式我们大概就知道了吧？

代码如下：

applicationContext.xml：

 <!-- 实现Realm接口即可。 -->    <bean id="jdbcRealm" class="com.yiyi.realm.MyRealm">    <!--验证方式-->    <property name="credentialsMatcher" >    <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">    <property name="hashAlgorithmName" value="MD5"></property>//加密的方式    <property name="hashIterations" value="10000"></property>//加密次数    </bean>    </property>    </bean>

现在我们是进行假数据来进行密码的比对的，设置数据库的密码是123456，那怎么才能让123456明文密码成为MD5加密的密码呢？

MyRealm.java:

package com.yiyi.realm;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.LockedAccountException;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.crypto.hash.SimpleHash;import org.apache.shiro.realm.AuthenticatingRealm;public class MyRealm extends AuthenticatingRealm {@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {// 将AuthenticationToken对象转换成UsernamePasswordToken对象UsernamePasswordToken upToken = (UsernamePasswordToken) token;// 获取UsernamePasswordToken中的用户名String username = upToken.getUsername();// 从数据库中查询 username 对应的用户记录System.out.println("从数据库中查找" + username + "的信息");// 若用户的信息不存在，则抛出UnknownAccountException异常。if ("unknown".equals(username)) {throw new UnknownAccountException("用户不存在");}// 根据用户的信息进行反馈，则抛出LockedAccountException异常。if ("han".equals(username)) {throw new LockedAccountException("用户被锁定");}// 根据用户的信息来封装SimpleAuthenticationInfo对象。// 当前 realm 对象的 nameString realmName = getName();// 认证的实体信息。Object principal = username;// 密码Object credentials = "0d529a42cbebd3943ad4709d8dea32a2";SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(principal,credentials, realmName);return info;}/** * 明文进行谜面进行加密 * @param args */public static void main(String[] args) {int hashIterations = 10000;//加密的次数Object salt = null;//盐值Object credentials = "123456";//密码String hashAlgorithmName = "MD5";//加密方式Object simpleHash = new SimpleHash(hashAlgorithmName, credentials,salt, hashIterations);System.out.println("加密后的值----->" + simpleHash);}}

这个密码已经进行MD5加密了，为什么我们还是不满足这样的加密呢？其实还有更加精确的加密，那就是MD5盐值加密。

怎么来进行盐值加密呢？我们来一起看看吧！

假如俩个或者更多的用户名不一样，但是设置的密码一样呢？我们就用MD5盐值加密的方法来处理。

代码如下：

package com.yiyi.realm;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.LockedAccountException;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.crypto.hash.SimpleHash;import org.apache.shiro.realm.AuthenticatingRealm;import org.apache.shiro.util.ByteSource;public class MyRealm extends AuthenticatingRealm {@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {// 将AuthenticationToken对象转换成UsernamePasswordToken对象UsernamePasswordToken upToken = (UsernamePasswordToken) token;// 获取UsernamePasswordToken中的用户名String username = upToken.getUsername();// 从数据库中查询 username 对应的用户记录System.out.println("从数据库中查找" + username + "的信息");// 若用户的信息不存在，则抛出UnknownAccountException异常。if ("unknown".equals(username)) {throw new UnknownAccountException("用户不存在");}// 根据用户的信息进行反馈，则抛出LockedAccountException异常。if ("han".equals(username)) {throw new LockedAccountException("用户被锁定");}// 根据用户的信息来封装SimpleAuthenticationInfo对象。// 当前 realm 对象的 nameString realmName = getName();// 认证的实体信息。Object principal = username;// 密码Object hashedCredentials = null;if("admin".equals(username)){ hashedCredentials = "2abec21dc41c75c88cb87e7306c5e75f";}else if("zhao".equals(username)){hashedCredentials = "399503120959cd94972d6d5f3a9d4c61";}//盐值ByteSource credentialsSalt = ByteSource.Util.bytes(username);SimpleAuthenticationInfo info=new SimpleAuthenticationInfo(principal, hashedCredentials, credentialsSalt, realmName);return info;}/** * 明文密码进行加密 * @param args */public static void main(String[] args) {int hashIterations = 10000;//加密的次数Object salt = "zhao";//盐值Object credentials = "123456";//密码String hashAlgorithmName = "MD5";//加密方式Object simpleHash = new SimpleHash(hashAlgorithmName, credentials,salt, hashIterations);System.out.println("加密后的值----->" + simpleHash);}}